This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
George_Sas
Collaborator
2 weeks ago

Block Firewall Rule matched but still able to access page ?

Hi Guys.

I have a strange issue... 

I am blocking Social network sites on the firewall and only a few selected people have access to it.
When the BLOCK rule is matched , the people are redirected to a "Blocked" page.

In the APP section I have a rule number 22 (as example) that allows Facebook for specific AccessRole.
Then lower down I have Rule 134 That blocks Facebook and Adult content sites and Redirects to Blocked Page.

Rule 136 Is the Allow rule for Internet Access 

Now , when I try to access Facebook , I can see in the log files match on Rule 134 , the REDIRECT to block page action but the user is still able to surf on Facebook ??
If I am trying an adult site , I see same rule match in logs but I am not able to surf to the adult website.

Why ? I am totally confused.

 

0 Kudos
6 Replies
George_Sas
Collaborator
2 weeks ago

So , Facebook and Adult content are Blocked by the same rule. 134 !
Traffic to both Facebook and Adult site HIT the same Rule 134 ! 

If I visit Facebook I just get an Action REDIRECT and in session : https Traffic Redirected from George (xxx) - (10.131.90.60) to Facebook - (157.240.200.3)
... and I can continue surfing on Facebook . So traffic is REDIRECTED to Facebook but NOT Blocked ..

If I try an adult page I get Action Block and I get the IT blocked page...

Same blocking rule contains "Pornography" and "Social Networking". Rule is matched on both cases but Facebook is allowed and Pornography blocked.

facebook.png
I am more confused.

0 Kudos
Chris_Atkinson
MVP Platinum CHKP MVP Platinum CHKP
MVP Platinum CHKP
2 weeks ago

Please share some additional information to assist i.e.

* Major Version

* Jumbo Take

* HTTPS inspection

* Updated Trusted CA

Anecdotally I've observed better consistency with categorisation in R82+ but might need a TAC case to understand your issue further.

CCSM R77/R80/ELITE
0 Kudos
George_Sas
Collaborator
2 weeks ago
In response to Chris_Atkinson

Cluster runs R81.20 Jumbo Hotfix 127.
As you see , HTTPS is enabled and the Trusted CA are up to date , just checked yesterday.
But this should not be about HTTPS inspection ,it's an application rule... maybe I am wrong.

0 Kudos
the_rock
MVP Diamond
MVP Diamond
2 weeks ago

Mind sharing your https inspection policy? Im wondering if there is specific rule there causing this. Keep in mind, that policy would always take precedence first.

Best,
Andy
"Have a great day and if its not, change it"
0 Kudos
George_Sas
Collaborator
2 weeks ago
In response to the_rock

I have a bunch of Bypass (but I can see the Facebook is inspected) policies and last in row the HTTPS Inspect.
HTTPS.JPG

0 Kudos
the_rock
MVP Diamond
MVP Diamond
2 weeks ago
In response to George_Sas

Mind sharing full log from smart console? Please blur out any sensitive data.

Best,
Andy
"Have a great day and if its not, change it"
0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events